[Dshield] Probing for catch alls.
areust at comcast.net
Sat Jun 25 00:21:23 GMT 2005
Many would have "opinions" about what you just stated. There is a lot to
say and by your question you are just learning. So without writing a book,
or telling you are in the incorrect list. The short story (not all inclusive).
It could be that it is a "SPAM List holder," is verifying email addresses.
IF this is the case, then you could expect a fresh pile of SPAM as your
"live email address" was verified (not rejected). You are about to be "sold."
You may have partially checked to see if the IP addresses in the headers
may have been a Legit mail server (owned obviously) which is collecting
NDR's. Or not...
At 11:22 AM 6/24/2005 -0700, you wrote:
>I've been getting what appears to be probes for catch alls to both
>personal and business domains. I'm sure it's just some jerk spammer, but
>was wondering why they'd want to know.
The question would be how many real domains (you mentioned) received the
"same" email? DID you examine the Headers in all those duplicate messages?
They tell a lot... "Commonalities," but you have to dig.
>Basically the Subject is "hi" or "how are ya?" and the body is along the
>lines of "hey, just checkin in on ya" or "hey, how ya been? long time no
For the average user it would appear as a mis-typed/mis-sent message. The
user would only know, if they did something like "reply."
Something like, I am sorry do I know You? You sent me this message and I do
not know you.
You can see what they just did. You told them they have a live target. They
have either generated something the MTA will reject as a non valid user
(forged domain), or sent a collectable message to a SPAM List
collector. If it was truly a bogus email address they would get a "No Such
User message (depending on who runs the mail server)." Otherwise nothing
would happen and the "user" would forget the incident. They would be logged
with a valid email address and/or a valid IP/Domain.
The best thing to do is have a User report it and an then put in the trash
after the admin has examined it.
> >From address is RANDOMNUMBERS_gibberish at forgeddomain.com.
So if it is forgeddomain.com, did you look to see if it actually answers on
port 25. Did you (from a shell/command prompt) do a simple NSLOOKUP and
then set type=MX and type in the Domain Name(s)? The Primary DNS server you
connect to will tell you if it is "Real" (yes there are a few exceptions).
and/or telnet IP address port 25 to compare the forged IP/real IP's?
>Is this something I should be concerned about? Should I expect a spam
>wave soon? Just curious if anyone had any insight on this.
A Lot of mail administrators, do not reply that "user" is
non-existent, There a couple of reasons that various people would tell
you. IF the user does not exist and you return the mail to a forged domain
it potentially starts a loop... Depending on the settings in the mail
server you get a reply that user 1296574393 at forged domain.com does not
exist. If the mail administrators does not have settings correct then his
mail server bounces the message and you can have a round robin of "email
server to mail server" messages that just keep going.
Most mail administrators tell it to "not reply" and "go to the trash"...
They get a message that it happened but that is about it.
If you get one, feed it to your SPAM filter and tell it you do not want to
see them anymore. Are you targeted, very likely. Can you do anything about
it? NO Please do not lick on any link at the bottom called "Remove Me." Let
them "guess" do not tell them that you are a Live Email target/address..
There you have a Top Posted, Quoted and Bottom Posted all in one email. LOL
Best of all worlds.
Have a "great" weekend All.
More information about the list